I have an Omada network set up in a small office, basically using WiFi for all users. But it will grow in number of users, devices and rules for access between networks. 

I have the following TP-Link equipment, and I bought another TP-Link Switch and even a firewall to improve this.

This is my list of available equipment:

• ISP Modem (Bridge Mode);
• Netgate SG-1100*;
• TP-Link Router ER-650;
• TP-Link Controller OC200;
• TP-Link Switch TL-SG1008P;
• TP-Link Switch SG-3210**;
• TP-Link EAP235-Wall.

My idea is to have some of the subnets below:
 

• Admin: WiFi/LAN network for company/network administrators;
• Developers: WiFI-only network for developers;
• Customer Service: WiFi-only network for customer service employees.
• IOT: WiFi-only network for IOT devices and WiFi security cameras;
• Server: Network wired to a server (PC), which can be accessed by developers and admin, but this server cannot access anything else;
• Printers: A WiFi network for printers, which can be accessed by admins, developers and customer service, but she cannot access anything.
• Telecom Device: A device connected to the network via cable, which will be available to be accessed via the internet, but can never be accessed locally by other groups and cannot access the network either. This device can only be accessed via cable (in LAN) by the switch TL-SG1008P through a port intended for it.
  It would be great if I could define which IPs will be able to access this device via the internet.

All these networks can access the internet.

Other problems I have are:

• How to use a static IP for the internet? Since my modem in bridge mode doesn't allow me to set a static IP;
• How to integrate Netgate in this network? 

Does TP-Link have any material explaining how to create a network similar to this one or does anyone recommend some material to help me on this journey?

As previously only two people used WiFi (+ wifi cameras and printers) it was easy to manage, but with the new devices/users and access rules things got a little out of hand. 

* However, I didn't implement it on my current network, but I want to put it to filter requests and block some access to suspicious sites. 

**I purchased this switch to be able to separate the network into subnets through cabling, as a device will be visible via the static IP through the internet and I don't want it to have access to other items on the network and items on the network not to access it.